Stolen Administrator Credentials Led to Breach of University Systems
Early this year, the University of Maryland suffered a data breach of more than 300k students and personnel, prompting an investigation by the Secret Service and resulting in a testimony before Congress by the UMD president.
And as the Chronicle of Higher Education reported, the total costs of the data breach could easily reach millions of dollars, with expenses spread across five years of credit monitoring, legal and IT forensics firm fees.
Another case in early 2013 involving the Maricopa County Community College (MCCCD) has resulted in costs totaling $19.7 million - a hacked server was never replaced, leading to the discovery of 14 databases containing 2.5 million employee and student records. Find out more in College Data Breach Triples in Cost to Nearly $20 Million; Tuition Raised.
Two Breaches in Two Months
UMD’s initial breach by an external attacker occurred in February, but it was followed by another breach in March carried out by an ex-contractor of the university. The hacker claimed to be a whistleblower, and his breach into UMD’s databases was intended to show just how poorly secured they were. He replicated the February breach and posted the personal information of a university official on Reddit.
The vigilante hacker was formerly employed with a tech firm contracted by the university, as the Washington Post reports.
The first breach was detailed in testimony of UMD’s president, Wallace Loh, before the the U.S. Senate Committee on Commerce, Science, and Transportation. Attackers targeted a photo-sharing site of the university, uploading a trojan while using the Tor network to hide their identity.
They managed to get into UMD’s IT management directory, steal and change IT administrator passwords and get access to a database containing the names, SSNs and university IDs of students and staff - proving that, once again, the use of only passwords to protect sensitive information gives remote attackers an easy way in.
A Single Password: The Downfall
Loh emphasized the specific difficulties that universities face with cybersecurity, including centralization and finding a balance between security and access:
“A university is an open organization; there are many points of access because it is all about the free exchange of information,” Loh said in his testimony. “In the private sector, you can centralize cybersecurity. You cannot do that at a university, so we have to find that proper balance between security and access, and that is the challenge for all universities.”
While that may be true, the common vein in many data breaches across many different sectors is the ability to use a single password to access thousands if not millions of user data, from SSNs to credit and debit card numbers, as exemplified in the Target CFO’s own testimony to Congress alongside UMD’s president.
And that shows a clear need for better authentication security, which two-factor authentication can provide for any type of login, particularly administrative logins that often include privileged access to sensitive databases.
Find out more about two-factor solutions in our Two-Factor Authentication Evaluation Guide.